Thanks,
Will try out that - will upgrade the kernel and see how it works.
George.
On Friday 05 May 2006 09:39 am, Patrick McHardy wrote:
> G Georgiev wrote:
> > Hi,
> >
> > Could not conceive an working set-up for an IPSEC VPN made with
> > racoon/setkey on which I have one address on my side acting as an SNAT
> > router for all traffic from my network to a network segment on the far
> > side.
> >
> > my network --- my gateway ---------------------- remote network
> > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22
> >
> > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to
> > the tunnel address (10.253.0.2) it shall work. This would have been
> > possible with FreeSwan, as it created network interfaces (ipsec0,
> > ipsec1..), however with setkey there is no way of making it.
> >
> > The VPN starts on the gateway, simply all traffic destinate to
> > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel.
> > SNAT however is available only in POSTROUTING chain, and no outgoing
> > interface really exists with setkey.
> >
> > So, next rule should be implemented on the gateway: "Packets going to
> > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel"
> >
> > Some ideas?
>
> Starting with 2.6.16 the kernel supports NAT with IPsec and includes
> a "policy" match, which allows you to do similar things like
> the "-o ipsec0" matching done with klips.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
